CounterMeasures - Security, Privacy, Trusthttp://countermeasures.trendmicro.eu
A Trend Micro Solutions Architect BlogTue, 24 Feb 2015 12:28:11 +0000en-UShourly1http://wordpress.org/?v=4.1http://creativecommons.org/licenses/by-nc-sa/2.0/countermeasureshttps://feedburner.google.comSubscribe with My Yahoo!Subscribe with NewsGatorSubscribe with My AOLSubscribe with BloglinesSubscribe with NetvibesSubscribe with GoogleSubscribe with PageflakesSubscribe with PlusmoSubscribe with The Free DictionarySubscribe with Bitty BrowserSubscribe with NewsAlloySubscribe with Live.comSubscribe with Excite MIXSubscribe with Attensa for OutlookSubscribe with WebwagSubscribe with Podcast ReadySubscribe with FlurrySubscribe with WikioSubscribe with Daily RotationSuperfish (and chips) or Super Phish?http://countermeasures.trendmicro.eu/superfish-and-chips-or-super-phish/
http://countermeasures.trendmicro.eu/superfish-and-chips-or-super-phish/#commentsThu, 19 Feb 2015 11:03:03 +0000http://countermeasures.trendmicro.eu/?p=4180

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security, and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the onlyperson who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

]]>http://countermeasures.trendmicro.eu/naked-celebrities-revealed-by-icloud-hack/feed/0Compromised Facebook accounts create scam eventshttp://countermeasures.trendmicro.eu/compromised-facebook-accounts-create-scam-events/
http://countermeasures.trendmicro.eu/compromised-facebook-accounts-create-scam-events/#commentsThu, 28 Aug 2014 12:22:04 +0000http://countermeasures.trendmicro.eu/?p=4154Compromised Facebook accounts are being used in new ways to make sure that Spam reaches its intended audience.

As I was sitting working away at my computer, an event notification popped up on my screen that confused me.

This notification confused me for a number of reasons, firstly I was pretty sure I hadn’t accepted any invitation to knock-off designer goods events and secondly, on inspecting my calendar and inbox I could find no trace of the event in question.

While I was checking through my calendar, enabling and disabling feeds to try to track down the source, a second notification popped up, this time within Facebook, for the same event and all became clear.

The account of one of my old school friends had obviously been compromised and used to create a scam event, a new form of social media Spam. Of course I have notified my friend immediately and reported the scam event. Quite aside from the novel Spam delivery mechanism, evading traditional anti-spam and web filtering technologies, it got me to thinking about the future of information in the Internet of Everything.

The scam Facebook event, I do not recommend visiting any URLs in this image

IoE relies on a globally connected network of device and services, both consumers and businesses want to connect all of these information sources and we are already beginning to use the information generated to make automated decisions. For example apps such as IFTT (If This Then That) allow us to create smart rules combining discrete events and actions, “If someone tags me in a photo on Facebook, save a copy to my web storage” or “If the sun goes down, turn on the lights in my house”. This trend is set to continue and expand exponentially. With Gartner predicting 30 billion connected devices by 2020 and IDC predicting 212 billion the only thing we can really be sure of is that the growth of this interconnected ecosystem will be huge.

Attackers will continue to search for the weakest link. A compromise at any point in the chain of information will lead to amplified effects in unforeseen areas as devices, processes, people and services become increasingly both interconnected and autonomous. Complexity is the enemy of security, in the interconnected IoE, tracking down the source of misinformation and the point of compromise may become impossible for the average consumer of business.

Unless proper authentication of the integrity, provenance and validity of information can be designed into the processes, devices and decision-making of the future, we’re not just opening up a new attack vector, we’re opening up our lives, our enterprises and our homes.

Quarantine is a word derived from the the 17th century Venetian for 40 (quaranta). The purpose of quarantine is to separate and restrict the movement of otherwise healthy organisms who may have been exposed to disease, to see if they become ill. The 40 day period was designed to identify carriers of the Bubonic plague or Black Death, before they could go ashore and spread the contagion more widely. Desperate times call for desperate measures, nevertheless the concept was widely adopted and remains with us to this day.

The word quarantine has been thoroughly misused by the well-meaning security industry, where known infected files or systems are moved to a protected area until they can be examined and cleaned-up. More accurately we should be calling this “isolation” as in most cases we already know the subject to be compromised or infected. Nonetheless, this serves an equally important purpose of containing the spread of compromise and it’s consequences; abuse of compromised systems for sending Spam, theft of sensitive information and spread of infection just for example.

Today’s unprecedented co-ordinated action between law enforcement, security providers such as Trend Micro and Internet Service Providers gives us a chance to consider how much more widely this concept could or should be applied in the fight against online crime. Desperate times call for desperate measures.

The Internet Service Providers involved in the action against GOZeuS and Cryptolocker are able to take advantage of the intelligence behind the law enforcement operation to identify which of their customers are infected, to notify them and assist them with clean-up. Should this not serve as the establishment of a standard for the future? Systems that are known to be compromised should be isolated until they can be cleaned-up.

When a global alert and education process such as we see today is rolled out, events may seem impressive, particularly to those involved in Information Security; 11 Law enforcement agencies, a list of security companies as long as your arm, press conferences and articles in national and international press. In reality, for the majority of internet users the story will simply pass them by. Educational initiatives are largely only successful at preaching to the choir, so to speak (trying to broaden the conversation was one of the motivations behind our 2020 series last year).

Steps must be taken to bring home to the regular internet user the consequences of their action or their inaction, because even doomsday headlines like ” 2 weeks to block cyber attack” are forgotten the day after they are published. Couple that with the very real possibility of “notification fatigue” as breach after breach and data-loss after data-loss make the news and people simply cease to care, if they ever did in the first place.

ISPs on an on-going basis should take advantage of the threat intelligence feeds of the security industry to identify compromised systems connected to their networks. Those systems should be moved to quarantine, the account owners should be contacted and directed to resources which will enable them to clean up and rectify the situation. Until such time as the infection is remediated the computer should be able to access only limited Internet resources. Don’t care will be made to care.

A parallel has long existed in the auto world. Cars are subject to an annual check, if they do not pass this test of their roadworthiness they may not be driven on public rods until remedial works have been carried out because they represent a danger to the driver and to other road users. Desperate times call for desperate measures.

If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.

“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth“

Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.

Some questions for you eBay (yes I’m angry, this is MY data which I entrusted to you)

1 – If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? I note with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?

2 – If you’re going to tell me that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?

3 – Why did it only take compromised credentials to gain access to the corporate network? Again, where’s the multi-factor?

4 – Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?

5 – How was my password “encrypted”? I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of my level of exposure and offer practical advice to others.

Bonus question for extra points

– How were the initial accounts compromised and what are you going to do to make sure this doesn’t happen again?

Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in. Effective security is about accepting the reality of compromise, putting systems and processes in place that mean you discover and react in a timely fashion and crucially that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?

You write at the end of your press statement “The same password should never be used across multiple sites or accounts.” I agree. I’m going to end my “statement” with this.

Sensitive data especially that which you hold in trust, should always be encrypted, no exceptions.

Oh and if your email when you send it, offers me a link to click to go and change my password, you’re off my Christmas list, for good.

]]>http://countermeasures.trendmicro.eu/oy-vey-ebay-five-questions-for-you/feed/5The “right to be forgotten” is not censorship.http://countermeasures.trendmicro.eu/the-right-to-be-forgotten-is-not-censorship/
http://countermeasures.trendmicro.eu/the-right-to-be-forgotten-is-not-censorship/#commentsTue, 13 May 2014 12:58:37 +0000http://countermeasures.trendmicro.eu/?p=4115

Image used under Creative Commons by Sara Biljana

Enshrining the right to be forgotten is a further step towards allowing individuals to take control of their own data, or even monetise it themselves, as we proposed in the 2020 white paper (Scenarios for the Future of Cybercrime).

The way the law stands in the EU currently, we have legal definitions for a data controller, a data processor and a data subject, an oddity which lands each of us in the bizarre situation where we are subjects of our own data rather being able to assert any notion of ownership over it. With data ownership comes the right to grant or deny access to that data and to be responsible for its accuracy and integrity.

In response to today’s EU judgement, I have seen a lot of commentators immediately cry “censorship” and make all kinds of unsupportable comparisons with book-burning, these reactions are simply misguided and out of all proportion to the decision made.

The ruling is the right one. I suggest you read the judgement before making knee-jerk reactionary comments about censorship, libraries, signposts or whatever. The court recognises that information that was “legally published” remains so and that the individual has no right to censor it. However, they also recognise that search engines collect, retrieve, record, organise, store and disclose information on an ongoing basis and that this constitutes “processing” of data under the EU directive. Further, given that the search engine determines the means and purpose of their own data processing, they are also a “Data Controller” under that directive and again must fulfil the legal requirements of such an entity, any other court decision would weaken that whole directive beyond repair. The entirety of information turned up in response to a search on a person’s name, represents a whole new level of publishing and the discrete items of information would have been very difficult, if not impossible, to put together in the absence of a search engine.

Any other decision on this would have simply blown away the EU Data Protection directive and that is not something any us should be advocating.

Before personal data became a commodity mined by corporations and attackers alike, the need for a legal stance on the identity of the “owner” of data relating to oneself may have seemed laughable. However that has landed us in the situation of today when entities that mine and monetise that same data can refer to this very welcome EU ruling as “disappointing”. Commercially disappointing it may be, however it is a step, albeit a small one, in the right direction.

Heartbleed, the vulnerability which is the result of a coding error in the widely used OpenSSL encryption library has been hogging all the headline over the past few days, and rightly so, it represents a a huge risk to information security for consumers and businesses alike.

You could be forgiven though given the majority of the coverage, for believing that as long as you waited for affected websites to update and subsequently changed your passwords that you would be covered. Wrong, Heartbleed is more death by a thousand cuts than major cardio-vascular event. It’s certainly true that by far the most widespread immediate risk, certainly in terms of numbers of potentially impacted individuals, is in the exposure of sensitive information by vulnerable web servers, information that could include passwords and session cookies, but even once this initial wave of patching is done the residual risk will be enormous.

OpenSSL is not restricted to use in web servers, it is also employed over email protocols, chat protocols and secure Virtual Private Network services, it can also be found in a plethora of networking and security products around the world and this is where the long-haul work is set to begin. Many vendors have already begun investigating their products and services for the presence of vulnerable versions of the OpenSSL and the list of confirmed affected products continues to grow. This promises to be an open season for targeted attackers.

When a targeted attack is a carried out against a corporate victim it can be broken down into a number of logical steps; intelligence gathering, point of entry, establishing command & control, lateral movement and exfiltration. It is during the lateral movement phase that the Heartbleed bug offers a highly effective and well-placed new weapon to the attacker’s arsenal. As the attacker begins to explore a compromised victim network they will now be routinely probing for the presence of the Heartbleed vulnerability on servers and clients both. If the bug is present it offers a silent and effective means to capture the credentials that will allow the attacker a route further into the compromised organisation and possibly even open doors which were previously closed.

Imagine if the software distribution mechanism that pushes out update packages through your organisation were compromised, just ask a well-known electronics store how that can work out. Imagine if an attacker could harvest credentials from all the employees as they logged in to the database holding your corporate crown jewels…

Of course the manufacturers and vendors are burning the midnight oil right now, identifying susceptible products and preparing patches, but it’s important to remember that issuing a patch does not resolve a problem. It’s the application of the patch that counts. Now is the time that you should be taking an inventory from every supplier you deal with identifying your exposure and working out your downtime and patch planning. Until you get those critical patches installed passwords are a dime a dozen at the all you can eat OpenSSL bar.

I arrived in the office this morning to find a slew of birthday greetings awaiting me, both on Skype and even in direct message form on Twitter, where I was told that my birthday was appearing in someone’s calendar and they had no idea why. For a second I was confused, until my other half told me of her moment of abject fear that she had forgotten my birthday when she logged into Skype, the the proverbial penny dropped.

Like the queen, I have two birthdays each year, my real one and my Skype birthday and there is a good reason for this. Skype decided long ago that certain parts of your Skype profile information should be publicly available and Microsoft have continued this tradition. The privacy settings of these data items are non-configurable, this data comprises your first and last names, gender, detailed location and date of birth which taken together easily constitute “Personally Identifiable Information” under whichever jurisdiction you care to mention.

Whilst is is not compulsory to enter your date of birth on Skype in order to operate an account you are certainly encouraged to do so, whether that be by the “Profile completeness” tips (you get and extra 10% for your birthday!) or the bald invitation to “Add your birthday”. However it is not made clear when you add this data that it will only ever have a privacy setting of “Public”. Once you discover this, no doubt you will want to remove your date of birth, but the interface seems designed to fool you into thinking that this is nether possible nor wise

“It’s a Security Thing”… It sure is!

Nonetheless it is entirely possible, and advisable to reset this information to read simply “Day”, “Month” & “Year” and to remove your birthdate from the public domain. Either that or elect to have a second alternate birthday, just like I did. I haven’t got any presents yet, but the attention on this Monday morning is lovely.

Of course your friends and people you trust need to know your birthday, otherwise how are you ever going to get the full set of Iron Maiden reissues as birthday presents (true story) but unfortunately information such as date of birth is still all too often used as important security information or qualifying information to apply for identity documents and should not be broadcast so widely. In the words of the New York State Police

“All an identity thief needs is any combination of your Social Security number, birth date, address, and phone number.”

We can argue the pure logic of their claim (“any combination?” surely not) but the fact remains any information given freely, particularly in context increases your risk of identity theft or fraud. If you think that enterprising online criminals are not really interested in this stuff, think again, as much as five years ago they were already referring to Facebook as a “Free DOB Lookup Service”, of course that got resolved but we all know that scammers actively solicit contacts on Skype already and accepting the connection request is all it takes to give away your personal information.

Criminal forum post from 2009

We live in an age where everything is increasingly connected to everything else; accounts, applications, APIs, credentials devices and personal details and more. The less you broadcast, the more you can begin the long process of reclaiming ownership over your own identity. A process which for most of us, is long overdue.

Yesterday evening the FBI issued a press release regarding the legal action against Aleksandr Andreevich Panin, a Russian national perhaps better known as “Gribodemon” and “Harderman”, the online aliases behind the notorious SyEye banking Trojan and Hamza Bendelladj a Tunisian national who went by the online moniker of “Bx1″. Panin has entered a guilty plea to the charges of conspiracy to commit wire and bank fraud, the charges against Bendelladj are still pending. The FBI press release gives thanks to Trend Micro’s Forward Looking Threat Research team for their assistance in the investigation.

Bendelladj is alleged to have operated at least one command and control server for SpyEye, although as our TrendLabs blog and our investigation make clear, his involvement seems to be far deeper. He was arrested at Bangkok airport on the 5th January 2013 and Panin was arrested on July 1 last year when he flew through Atlanta.

The FTR team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye almost 4 years ago. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today.

Our ongoing research turned up a wealth of data, much of which it would be imprudent to share while legal action is still ongoing, however it might interest you to know that some of the most frequent passwords used by one of the accused include “loveme”, “kissme” and “Danny000″. I’ll let you draw your own conclusions regarding OpSec.

The arrests last year and yesterday’s guilty plea are another illustration that Trend Micro’s strategy of going after the people behind online crime, instead of simply the infrastructure they exploit, is the right one. You may more often see stories that a botnet has been “taken down” resulting perhaps in a massive drop in the number of infected computers or Spam, but these types of activity while laudable are only temporary. Criminals will very soon come back and often come back stronger, having learned from their previous failures, the network of compromised computers will be rebuilt and the crime spree begin anew.

As with DNS Changer, as with the Reveton Ransomware, Trend Micro has proactively provided information and assistance to law enforcement that has led to arrests of individuals rather than the simple switching-off of criminal computers. It is through activities such as these that we hope to fulfil our mission of creating a world safe for exchanging digital information.

Usernames and phone numbers for more than 4.5 million Snapchat users have been published on a website called SnapchatDB.info after attackers took advantage of an exploit disclosed on the 23rd December 2013. According to TechCrunch, SnapchatDB said

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does”

This is of course not the first vulnerability that has been discovered in the Snapchat service or app, various methods of secretly saving photos or recovering deleted photos have already hit the headlines in recent months, those were vulnerabilities in the app itself and would be exploited on the end-user device. This latest attack is using weaknesses in the API on the Snapchat servers themselves, the API is the method by which a Snapchat client communicates with the Snapchat service. These weaknesses allow for an automated system to send an enormous number of queries to the Snapchat server in a short period of time, discovering whether or not a given telephone number exists in the Snapchat database and retrieving other information associated with that number, of course the numbers themselves will be mobile telephone numbers. This attack, combined with further mining of data, for example through social media could be easily used to build a very large database of personal information for many kinds of further exploitation or resale. Although Snapchat were made aware of these vulnerabilities some months ago, GibsonSec – the publishers of the Proof of Concept exploit, claim that they are still easily exploitable and Snapchat DB proves that point.

These two areas, vulnerabilities in mobile apps and vulnerabilities in APIs, are areas still largely under explored by criminals but we fully expect to see malicious exploits, rather than simple proofs-of-concept ramping up over the coming years. We, as users, store ever more data; data often belonging to other people, on our mobile devices and app developers are very interested in getting hold of that data, as are criminals. Far too many apps routinely request (or simply steal) the data contained in your address book for example and far too many app users are willing to surrender this data for the dubious “pleasure” of inviting their friends to yet another social network/messaging platform. Trend Micro’s own data collected in ongoing analysis through our Mobile App Reputation Service reveals that more than 20% of *all* apps are consistently leaking data and the most common data to leak are your contacts, your location, your phone number and details about the handset and SIM.

In the old days, back when rainbows were still in black & white, if a stranger were to approach you in the street asking for a copy of your address book that would doubtless strike you as a bizarre request, likewise if a shop assistant insisted on the details of 100 of your friends in return for a discount voucher. Somehow as the data itself has become digitised and the means of transfer invisible and painless this has become entirely acceptable behaviour. Rather than continue this erosion of privacy; users of these types of service would be better advised to use the phone for its long-neglected purpose and maybe give those same friends a call, possibly even arrange to meet up(!) and talk about the great new app you’ve discovered in person, rather than selling your friends down the river.

As a social platform, your satisfied customers are your best ambassadors. If you begin to act in ways detrimental to their best interests then a storm is certainly coming, as Path found out to their cost in the early part of 2013.